Fraud detectors at RSA Security have found a demo of a new online fraud toolkit that automates the process of setting up fake websites that sit between a user and a real site, such as a bank, she is trying to access with passwords or other authentication. Users must first click on a fake link, usually embedded in a "phishing" email for the fake website to load and steal the username and passwords.
Using the Universal Man-in-the-Middle Phishing Kit, the fraudster creates a fraudulent URL via a simple and user-friendly online interface. This URL communicates with the legitimate website of the targeted organization in real-time – whether it is the online banking site of a financial institution, the order tunnel of an ecommerce company, or any other such business transacting with its users online. The victim receives a "standard" phishing email, and when clicking on the link s/he is directed to the fraudulent URL. The victim then interacts with genuine content from the legitimate website – which has been "imported" by the attack into the phishing URL – thus allowing the fraudster seamless, invisible and immediate access to the victim's personal information.